If your 2.3.35 servers can be accessed via a remote connection, anyone
can crash them at any time. Is that considered critical?

Out of curiosity, can you point me at specific weaknesses in 2.3.35 that
we should be concerned about? Are we talking about ITS#s 4923, 4925,
4938, 4966, or something else?

Is this something where they could only crash the server if they could
get direct access to send malformed LDAP queries, or is this something
that could potentially be abused through a third-party XSS-style attack?